https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/
Only lists the following rule requiring disclosure of CA security issues: 1. When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the Mozilla Policy for Handling Security Bugs should be followed. Since a major root compromise is generally considered the worst possible security event for a trusted CA, this wording could easily be (mis?)understood not to require reporting of lesser security failures, such as issuing millions (or just hundreds) of certificates without proper validation etc. Am I reading something wrong, or is their an unintended loophole in the Mozilla Policy, as written, in this regard? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
